6 million Facebook users have been affected by a flaw that resulted in the email addresses and phone numbers associated with their accounts being shared with any friend and contact that used the company's Download Your Information (DYI) tool to download an archive of his or her Facebook account.

According to the notice posted by Facebook on Friday, the glitch, which has since been fixed, allowed users to even download email addresses or telephone numbers not connected to any Facebook users or even names of individuals.

How could this happen, you wonder?

Well, as it turns out, when users share with Facebook their phone contacts, the company uses the information to suggest friends already on Facebook, but also keeps the information and associates it with those contacts' accounts, creating thusly a sort of "shadow profile" for every user.

Two bits of functionality must be leveraged in order for this to work - the DYI (Download Your Information) functionality and the ability to upload your contacts.

The flow is simple. Upload your contacts and then go to Download Your Information under Account Settings and choose the link at the bottom to get your Expanded Dataset.

Hours pass and eventually a link is emailed stating your download is ready. When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded. However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people.

In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information. It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.

The flaw was discovered by a researcher that reported it to the Facebook White Hat program, and was apparently present since 2012.

"We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing," the company noted, adding that "no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool."

Privacy-minded users have taken to online forums to express their outrage at the fact that Facebook keeps all this data about themselves - data that they perhaps have intentionally not shared with the social network, but were nevertheless harvested from other users' contact and tied to them.

ZDNet's Violet Blue and Packet Storm pointed out the problematic ways in which the glitch might have been misused by individuals set on harassing other (known and unknown) people, but unfortunately there is not much one can do about all this.

"I would consider deleting my account, but based on the fact that this affects me regardless of whether or not I'm a user just makes the decision an exercise in futility. I hope that Facebook takes into account the adverse effects of their behavior and brings our questions back to the decision making table," commented the latter.

The problem is that whether users have given permission for Facebook to collect this data or not (they have - it's says so in the Terms of Service and Privacy Policy), the data is technically not theirs, but Facebook chooses not to see it that way.

The glitch may be fixed, but the shadow accounts will still be there.

"They have the ability to make a really positive change that sets the standard in the valley for security of user data. Alternatively, another social networking site might take this opportunity to highlight that this behavior will not happen on their systems, and a mass exodus of Facebook may occur, though we doubt that very much," say the security enthusiasts at Packet Storm. "What we need are governments to enact legislation that forces the hand, but given recent news items in the United States, it is clear that not all governments are making this a top priority."

Spotlight

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.